Tuesday, August 17, 2010

Hotels and Credit-Card Fraud

Your credit card is far more likely to be hacked at a hotel than anywhere else you use it. According to a report in January by Trustway SpiderLabs, 38 percent of the hacking breaches it investigated last year occurred in hotel credit card systems.

That was way more than breaches in other hacker favorites, including retail and restaurants.

The most recent example of hotel hacking, discovered last week, occurred starting in May at the Doherty Hotel, a convention hotel in Clare, Mich. About 150 people have reported that fraudulent charges appeared after they patronized the hotel. A Secret Service spokesman told the Clare Times online (report is here) that the hotel's guest computer system had been identified as the target of the hacking attack.

It is clear that lots of hotels have these issues. It isn't clear exactly how many. But the reports are troubling.

In June, it was reported that Destination Hotels, a chain of 30 luxury hotels, had been the target of what ABC News called "an intense database attack" that compromised at least 700 customer credit cards. Also in June, Wyndham Hotels said that a "sophisticated hacker" had gained access to credit-card data at up to 31 of its hotels between last November and January 23, 2010, when the attack was discovered.

For Wyndham, it was the second time in two years that credit cards had been hacked.

Wyndham and other hotels named in recent reports on the problem have said they are improving their point-of-sale and other credit-card data technology systems in response.

After I wrote about the Wyndham and Destination incidents, I got a lot of calls from national and local radio stations asking me to discuss the issue. Why hotels? they all wanted to know. And what can we do to protect ourselves?

Well, the reason hotels are a good target is that hotels collect a lot of customer data that a hacker can fairly easily access through point-of-sale systems and readily score enough information to be able to steal a credit card's data.

Mainly, this is because individual hotels are often owned by small or regional entrepreneurs -- investors who actually build, develop and own the properties, many of whom have been frantic in recent years as rates and occupancy have plunged. (Big hotel chains like Hilton or Marriott mainly manage the various brands, and charge the actual owners hefty fees for being associated with, and adherent to the standards of, a given brand).

With less money coming in following the Wall Street collapse, after a heady period of the best prosperity in the hotel industry's history, many hotel owners were caught flatfooted. Even while revenue plunged, they had to invest heavily in improving technology in immediate guest-demand things like better Wi-Fi and high-definition TV. At the same time, global hackers discovered that hotel point-of-sale systems were particularly vulnerable. In many instances, hotel owners simply have not yet invested what they need to in making their back-office data-processing technologies more secure against the new breed of hackers.

It often takes a hotel months to even discover that its system has been hacked.

Consumers have a degree of protection in credit-card fraud -- assuming they notify their credit card issuer promptly of a fraudulent charge.

But I've been advising people that it's easy to get blindsided even with this protection. For one thing, frequent travelers often don't carefully review their credit-card purchases on the road and may overlook fraud. For another, we're all now so accustomed to whipping out that credit card for small purchases, even a coffee at Starbucks, that we are more likely to not notice on our credit-card activity-reports the kind of small, frequent illegitimate charges that hackers first start hitting your card with, just to probe it, or in a case of basic hit-and-run.

In the last six months, both my wife and I have had credit cards we use for travel hacked. In both cases, the fraud began with multiple small charges listed as being for numerous Apple iTunes purchases, all in a very short period. In both cases, the fraud totaled over $400 before we contacted our credit card companies. (Neither of us has an Apple iTunes account, incidentally.)

In both cases, the fraudulent charges were removed. However, in both cases, the credit card company canceled our existing cards and issued new ones. With new numbers, of course.

Oops, that led to a problem I hadn't anticipated. Like many people in recent years, especially travelers who are away from home a lot, I tended to put routine household and other bills on credit card "auto-pay." Works beautifully. But when your credit card number changes, those auto-pays suddenly can get rejected if you haven't gone to the trouble of changing them to the new card number. I thought I caught most of them in time, but I overlooked a couple like the water bill. That took more phone calls to fix than I cared to make.

The credit card industry 9to protect itself, not consumers, of course) is now pushing hard for hotels and other businesses to adopt uniform standards for data security. Consumers, meanwhile, need to be simply up to date on issues such as credit card fraud. The Privacy Rights Clearing House has useful information on this.

I spoke recently with one of the leading experts in credit-card fraud, Anthony C. Roman, a private investigator in New York who now specializes in high-tech fraud investigations, but who once worked as a bodyguard for the infamous hotelier Leona Helmsley.

Here's some of what he said about hotels and credit-card hacking:

Hotel credit card point-of-sale systems (which begin at the place where your card is physically swiped through the machine) often offer a hacker the greatest trove of personal data for the least effort, he said. Hackers can work on site, or more often remotely online, using readily available personal information, sometimes culled from customer receipts and bill print-outs.

In the hotel industry, "the collection, storage and transmission of credit-card information is of particular importance," he said.

At many hotels, "upper executive management is developing more secure systems and procedures with regard to personal-data security, including the personal data on the magnetic strip on the back of credit cards, including things like date of birth, Social Security number, home address -- that kind of thing. That stuff is actually on the credit card."

Credit card issuers are trying to crack down harder to comply with standards that encompass "maintaining a secure computer network, which includes the computer network from the POS, point of sale, from the card-swiper through the internal network and terminals at the front desk or in executive or administrative offices. And after that, the broader network between that particular hotel site and the corporation at large all need to be secure," he said, adding:

"The best method to protect the data is by having a POS [point-of-sale] system that uses a transaction code in which the data is immediately encrypted when it hits the machine, and therefore not hackable for most casual hackers. It is, though, still somewhat hackable for the geniuses -- but most hackers are not geniuses or even brilliant. So we're talking about mitigating the vast majority of attacks" with a more secure point-of-sale front-end system that is protected through encryption.

"It’s not a standard created by the hotel, it's a worldwide standard created by the credit card industry," he said. "It requires purchasing not only of software and hardware technology, firewalls, encryption programs, et cetera, it also requires putting in place standardized procedural methods that are administrative in nature." That includes procedures for complex passwords that change at "rate differential periods" so no regular pattern can be discerned, he said.

This means spending more dough, if you're a hotel owner.

Also, he said, "there should be an audit trail to everything, as well as standardized preliminary and ongoing training of staff, and an overall system reflecting when and if privacy-sensitive data is released, to whom, and under what circumstances."

Hotels are by nature customer-service friendly. This builds a weakness into the system. A hacker with one stolen (or otherwise obtained) document, even a discarded bill, can sometimes call a hotel and say he or she needs a new copy of a bill. Hotels tend to comply.

"RevPARS [revenues per available room] are down dramatically as result of the economic turndown," he said. Many hotels "simply don’t have the money, and aren’t making the investment [in better technology security] at this time," he said.

The message hotel owners are hearing from credit card companies and even hotel chain management is this: Find the money and fix your systems. And as these instances of hacking continue, consumers are going to be demanding the same.

Bio

Joe Sharkey's work appears in major national and international publications. For 19 years until 2015 he was a weekly columnist for the New York Times. He is now a weekly travel and entertainment columnist with the global website Travel.Buzz, as well as an adjunct professor of journalism at the University of Arizona, He has written five books, four non-fiction and a novel, one of which is in development as a movie. Previously, he was an assistant national editor at the Wall Street Journal and a reporter and columnist with the Philadelphia Inquirer.
On Sept. 29, 2006, he was one of seven people on a business jet who survived a mid-air collision with a 737 over the Amazon. All 154 on the 737 died. His report on the crash appeared on the front page of the New York Times and later in the Sunday Times of London magazine.
He and his wife Nancy (who is a professor of journalism at the University of Arizona) live in Tucson with horses and parrots. He is working on a new novel about an international travel writer who hates to travel.
"JoeSharkey.com" is Copyright (c) 2006-2015 by Joe Sharkey.